https://gallery.earlybeasts.live/picture.php?/3/category/2

Weavertech (2)

Species Mind

Ускорение загрузки по HTTP2

Мучалась мяу тут с тем, что заливка видеосообщений на личный матрикс-сервер (кстати, вот он: https://earlybeasts.live/matrix-propaganda-russian/) тормозила (прямо до 100 килобайт в секунду). Притом что сервер с толстым каналом, 128Гб оперативки и т.п..

А решилось всё просто... у мяу перед Synapse стоит обратной проксёй Nginx, и в нём включен HTTP2. И по-умолчанию Nginx выдаёт крошечные буфера (типа 16Кб) для аплоада.

Лечится оно вот так (у мяу 2Мб буфера, кажется это очень много):

# HTTP2
http2 on;
client_body_buffer_size 2048k;

Детали - вон там: https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/

Continue reading...
Species Mind

OpenWRT, WDS and strange SSH problem

Some time ago we've switched from cabled setup to fully wireless... and today we've found that we are unable to SSH to any machine. Here you'll find the whole story and how to fix the problem.

The setup

Ethernet cable (coming from provider's coaxial-to-ethernet convertor) with white (static public) IP.

To this cable the main router is connected. That main router is running OpenWRT and acts as a WDS-enabled access point.

Some secondary routers, also running OpenWRT, connected wirelessly to the main one. Those routers are:

  • retranslate the internet further via WDS;
  • allows wired connection via their ports.

Some devices, connected to secondary routers by wire or wirelessly.

The problem

If the end-user device is connected directly to the main router (by cable or WiFi) - then everything is OK.

If the end-user device is connected to one of the secondary routers - it can't SSH to any host.

ssh -v shows that it hangs on waiting for remote host reply, but telnet to 22 TCP port shows that reply comes.

tcpdump shows that no replies are received when ssh is executed.

The solution

The solution is to switch default firewall rules on secondary routers to all ACCEPT (i.e. input, output, forward).

It may be a lame way, but since we don't need firewalling inside the network, this solution is acceptable.

Continue reading...